Major Crypto Bug Cripples Ubuntu Linux Security (PC Magazine)
Larry Seltzer - eWEEK Thu May 15, 8:39 AM ET
A major problem has been revealed in Debian Linux and derivative packages, such as Ubuntu. Debian revealed the other day that a fix they made back in September 2006 had the unintended consequence of crippling the strength of their OpenSSL distribution.
OpenSSL is used, of course, for Secure Sockets Layer which provides authentication and encryption for web traffic, but it's also used for other cryptography functions. OpenSSL is a very important package that brought public key cryptography to the masses; prior to OpenSSL, https web sites were expensive and complicated to build.
The strength of public key encryption relies, in large part, on the large number of potential keys that could be used to encrypt data. Keys are often 1024 or 2048 or 4096 bits long; these store very large numbers so a brute force attack, trying all of the possibilities, could take a prohibitive amount of time.
But the bug introduced by Debian effectively reduces the strength of the key to 32768 permutations, which is 16 bits. Famed security researcher HD Moore has actually already pre-calculated all of the potential keys for the most common cases. It took mere hours. So now you can be hacked even without someone brute-forcing your encryption.
Because of it's centrality, Linux sites are often deeply-reliant on certificates generated by OpenSSL to encrypt network traffic. Fixing the problem is not just a matter of updating the software; you also have to go back and generate new certificates and have them signed. This is complicated stuff, not for the novice Linux user. Expect tools to come along soon to help.
Originally published on Security Watch, the PC Magazine security blog.